security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
10,511 Commits 1 Branch 57 Tags
e91fc4486e57fc40e30d12253694de4c80a9e4ea
Commit Graph

7964 Commits

Author SHA1 Message Date
frack113 d459483ef6 Enable Office dde (#2750) 
Add registry_event_win_office_enable_dde
 2022-02-27 07:40:19 +01:00
frack113 ec7319be21 Name Normalization 
Name Normalization
 2022-02-27 07:39:46 +01:00
Florian Roth 3226504fbd Merge branch 'master' into aurora-false-positive-fixing 2022-02-26 13:18:26 +01:00
Florian Roth 52d30f4132 fix: FPs noticed with Aurora 2022-02-26 13:18:18 +01:00
Florian Roth de197e7897 Merge pull request #2747 from frack113/fix_detection 
Fix detection
 2022-02-25 19:04:16 +01:00
Florian Roth 5f8b16d147 Merge pull request #2748 from SigmaHQ/rule-devel 
rules: Hermetic Wiper, BlackByte reports
 2022-02-25 19:03:59 +01:00
Florian Roth f647e45e69 Merge pull request #2749 from redsand/fp_msiexec 
Filters false positive from msiexec.exe
 2022-02-25 19:03:45 +01:00
Tim Shelton 6d29b4c4a5 oof, misspelled detection type 2 2022-02-25 16:34:32 +00:00
Tim Shelton f6caaf795a oof, misspelled detection type 2022-02-25 16:32:33 +00:00
Florian Roth 744813ff87 rule: Hermetic Wiper group activity 2022-02-25 17:29:32 +01:00
Florian Roth eec5b1458c docs: wording change 2022-02-25 17:29:16 +01:00
Tim Shelton 9d06c3cfe7 Filters false positive from msiexec.exe 2022-02-25 16:17:01 +00:00
Florian Roth 653c39fe6a Merge pull request #2746 from SigmaHQ/aurora-false-positive-fixing 
fix: FPs noticed with Aurora
 2022-02-25 16:29:24 +01:00
Florian Roth d6d206d6d6 rules: BlackByte rule update, and some generic rules 2022-02-25 16:02:42 +01:00
frack113 775279423d Fix detection 2022-02-25 15:39:26 +01:00
Florian Roth 7baf014421 rule: BlackByte ransomware 2022-02-25 15:24:36 +01:00
Florian Roth 5901b41f95 fix: FPs noticed with Aurora 2022-02-25 13:55:37 +01:00
Florian Roth 701cb53f97 Merge pull request #2745 from SigmaHQ/rule-devel 
rule: ScreenConnect Backstag, CrackMapExec Flags
 2022-02-25 13:33:58 +01:00
Florian Roth b0b675b004 rule: CrackMapExec flags rule 2022-02-25 11:39:19 +01:00
Florian Roth 98c1c60758 Merge branch 'master' into rule-devel 2022-02-25 10:38:58 +01:00
Florian Roth 881d1f707e Merge pull request #2738 from humpalum/master 
feat: CrashDump Disable Sigmarule
 2022-02-25 10:38:15 +01:00
Florian Roth 3d609cfdf3 rule: ScreenConnect anomaly 
https://www.mandiant.com/resources/telegram-malware-iranian-espionage
 2022-02-25 10:31:58 +01:00
Florian Roth 89071f09e7 docs: changed technique to T1564 (Hide Artefacts) 
https://attack.mitre.org/techniques/T1564/
 2022-02-25 09:50:46 +01:00
Florian Roth a786ed36db add MITRE ATT&CK techniques 2022-02-25 09:25:22 +01:00
Florian Roth 6f79d70532 Merge branch 'master' into rule-devel 2022-02-25 09:19:16 +01:00
frack113 f4d5fc1f77 Merge pull request #2742 from neu5ron/patch-2 
Update zeek_dns_suspicious_zbit_flag.yml
 2022-02-25 06:39:19 +01:00
Nate Guagenti 7dc0facf05 Update zeek_dns_suspicious_zbit_flag.yml 2022-02-24 20:03:56 -05:00
frack113 73bffcacbf Merge pull request #2741 from Pooch11/win-dpapi-key 
Fix detection criteria modifier to contains 'bckupkey'
 2022-02-24 21:27:29 +01:00
frack113 beafcc7b4c Merge pull request #2740 from AndrewRathbun/master 
Update proc_creation_win_susp_esentutl_params.yml - minor spelling error
 2022-02-24 21:27:00 +01:00
Nate Guagenti 878df636e2 Update zeek_dns_suspicious_zbit_flag.yml 
add MX, common mail server query type to exclusion list.
 2022-02-24 14:57:24 -05:00
unknown 528cdd199b Update modified date 2022-02-24 14:38:35 -05:00
unknown 03048a1fdb Fix criteria to contains bckupkey 2022-02-24 13:55:34 -05:00
Florian Roth 220344f477 Merge pull request #2735 from SigmaHQ/rule-devel 
rules: suspicious schtasks creation
 2022-02-24 18:19:45 +01:00
Andrew Rathbun b17f2b3840 Update proc_creation_win_susp_esentutl_params.yml 2022-02-24 11:52:21 -05:00
Tobias Michalski d210e56e34 fix: Removed Spacing 2022-02-24 16:02:58 +01:00
Tobias Michalski 1b6483002b fix: Added newline 2022-02-24 15:57:13 +01:00
Tobias Michalski 573902c38d feat: CrashDump Disable Sigmarule 2022-02-24 15:55:36 +01:00
Tobias Michalski e89867848d Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:27:57 +01:00
Tobias Michalski 4a6ab42c6b Update sysmon_mimikatz_trough_winrm.yml 2022-02-24 11:09:47 +01:00
Tobias Michalski 662e5ed66d fix: False Positives 2022-02-24 10:35:31 +01:00
frack113 2dc2b99714 Merge pull request #2736 from frack113/issues_2724 
fix Provider_Name
 2022-02-24 09:27:29 +01:00
Florian Roth 536910f7d7 fix: FPs with new task scheduler rule 2022-02-24 08:41:53 +01:00
frack113 ffe2dd2a00 fix Provider_Name 2022-02-24 06:54:22 +01:00
Florian Roth 1682bdb8a8 fix: condition section 2022-02-23 23:28:53 +01:00
Florian Roth 22fbf5bb0a fix: indentation of conditions 2022-02-23 23:28:22 +01:00
Florian Roth d455dec42c fix: wrong condition 2022-02-23 23:26:33 +01:00
Florian Roth 825bf41f51 rules: susp schtasks creation 2022-02-23 23:25:20 +01:00
Florian Roth 9561e155ed docs: changed title 2022-02-23 23:25:06 +01:00
Florian Roth 0005509c11 Merge pull request #2733 from phantinuss/master 
fix: FPs
 2022-02-23 20:27:49 +01:00
Florian Roth 4b7e8feebe Merge pull request #2731 from SigmaHQ/rule-devel 
refactor: ncat rule, rule: explorer NOUACCHECK
 2022-02-23 17:31:08 +01:00